On 11 Mar 2005, JM wrote:
>> When you say you tried it, how did you test?
>
> I probably made a premature comment. Nessus probings, for example,
> were ok for me before trying this kernel. Maybe other friends with
> more experience can say something. What specific tests are you
> referring to?
Basically, my question was: did you do any specific security assessment
of the new kernel/OS, or did you simply install it and verify that it
booted?
If you had done specific security testing, I could note that (and your
results, and ideally methodology) down, and not pay so much attention to
it if I did decide to evaluate this for a client of mine (or home use. :)
[...]
> - grSecurity 2.0.1
This seems to be a mixed bag, some of which is good and some, possibly
most, of which isn't.
There has been a push to get some parts of this into the mainline kernel
recently, and pretty much each attempt save one has been bounced as
insufficient, or not actually helpful.
> - Net-dev-random for 2.6.7.
> - Net-dev-random-drivers for 2.6.7.
IIRC, the network random changes from grSecurity were judged to reduce
overall randomness in the network stack by David Miller and the core
network team.
> - SELinux PaX hooks for 2.6.7.
There was a recent security announcement from the PaX team on Bugtraq
that ended the line of development, after a serious flaw in their
security model rendered machines considerably open, I note...
[...]
> - Openswan 2.3.0dr2 (improved IPSec stack).
This is a dead end, unless they have changed tack recently: the
official IPSec stack in 2.6 is based on the one Linus and David Miller
developed. Using it now seems ... effort without significant gain.
> - Fortuna CSRNG.
Every time this comes up on linux-kernel, it gets bounced, because there
isn't any significant security gain to it.
[...]
Overall, I can't say that any of those compel me toward the project,
other than the CAN, etc, bugfixes. I hope they pushed those to the
mainline kernel as well. ;)
OTOH, I wasn't impressed by the general principal, to start with, so
maybe I judge this project more harshly than I should. Who knows.
At least the idea of improving security in general is good, and I like
to see work done on it.
> If you are referring to bastille, I think is a good program. Never had
> any problems with it. Just a little thing here and there, like creating
> some sort of directory it needed and the like. I believe some of the
> options need to be carefully considered.
Looking at the description, it could be. Still, I shouldn't judge it
based on the poor experiences of one person, I guess. :)
Daniel
--
The modern conservative is engaged in one of man's oldest exercises
in moral philosophy; that is, the search for a superior moral
justification for selfishness.
- J.K. Galbraith